mirror of
https://github.com/khuedoan/homelab.git
synced 2024-12-23 01:04:32 +07:00
docs: update decision record for Vault removal
This commit is contained in:
parent
093cc0d713
commit
fc2d0d48a5
@ -19,6 +19,50 @@ They are not permanent, we can change them in the future if better alternatives
|
||||
|
||||
- CHANGEME
|
||||
|
||||
## Remove HashiCorp Vault
|
||||
|
||||
**Context**
|
||||
|
||||
- HashiCorp changed their license, and it's no longer free/libre software.
|
||||
One of the highest priorities of this project is to minimize
|
||||
the usage of non-free software as much as possible, so I don't really
|
||||
want to keep Vault, especially considering the next point.
|
||||
- Vault is fairly complex to maintain properly. This project only uses
|
||||
Vault for two things: basic key-value secret store and its API to
|
||||
create and manage secrets dynamically. With the new Kubernetes secret
|
||||
provider in External Secrets, both features can be replaced with
|
||||
Kubernetes's built-in secrets and API server.
|
||||
- A related goal of using Vault as an identity provider for SSO will be
|
||||
discarded, and we'll use Authelia instead, which has a beta identity
|
||||
provider feature (or use another alternative).
|
||||
|
||||
**Decision**
|
||||
|
||||
Replace Vault with a simplier in-cluster global secret store.
|
||||
|
||||
**Consequences**
|
||||
|
||||
Unlike secret path in Vault, Kubernetes does not support `/` in object name.
|
||||
We need to change secret convention from `path` to `name` and replace `/` with `.`.
|
||||
|
||||
Update secret generator config:
|
||||
|
||||
```diff
|
||||
-- path: gitea/admin
|
||||
+- name: gitea.admin
|
||||
data:
|
||||
- key: password
|
||||
length: 32
|
||||
```
|
||||
|
||||
Update secret references in `kind: ExternalSecret`:
|
||||
|
||||
```diff
|
||||
remoteRef:
|
||||
- key: /gitea/admin
|
||||
+ key: gitea.admin
|
||||
```
|
||||
|
||||
## Manage package versions in tools container
|
||||
|
||||
**Context**
|
||||
|
Loading…
Reference in New Issue
Block a user